Legal claims defining the scope of protection, as filed with the USPTO.
1. A system, comprising: a processor configured to: monitor network traffic in a core mobile network using a security platform executed on a network element in the core mobile network to identify a new session that attached to the core mobile network for mobile network communications; extract meta information associated with the new session using the security platform executed on the network element in the core mobile network; apply selective intelligent enforcement for mobile networks based on the extracted meta information using the security platform if the extracted meta information associated with the new session matches a selective intelligent enforcement policy; policy, wherein the extracted meta information includes radio access technology (RAT) information, wherein the applying of the selective intelligent enforcement for mobile networks comprises to: check that an IP address associated with the monitored network traffic matches a RAT type configured in a policy; and in response to a determination that the IP address matches the RAT type policy, refer the RAT information to an IP data store of the security platform; and offload the new session to bypass security inspection by the security platform if the extracted meta information associated with the new session does not match the selective intelligent enforcement policy, wherein the network traffic associated with the new session that does not match the selective intelligent enforcement policy bypasses the security platform and layer 7 security is not applied to the network traffic associated with the new session to improve security analysis performance at the security platform; and a memory coupled to the processor and configured to provide the processor with instructions.
2. The system recited in claim 1, wherein the security platform is executed on a host entity in the core mobile network.
3. The system recited in claim 1, wherein the security platform is a virtual firewall executed on a host entity in the core mobile network.
4. The system recited in claim 1, wherein the offloading of the new session to bypass the inspection by the security platform if the extracted meta information associated with the new session does not match the selective intelligent enforcement policy is performed by offloading the new session to a smart network interface card of the network element.
5. The system recited in claim 1, wherein the offloading of the new session to bypass the inspection by the security platform if the extracted meta information associated with the new session does not match the selective intelligent enforcement policy is performed by offloading the new session to a smart network interface card (NIC) of the network element, and wherein the smart NIC includes a data processing unit.
6. The system recited in claim 1, wherein the meta information includes network slice information.
7. The system recited in claim 1, wherein the meta information includes subscriber identity and/or equipment identity information.
8. The system recited in claim 1, wherein the meta information includes access point name (APN) and/or data network name (DNN) information.
9. The system recited in claim 1, wherein the meta information includes location information.
10. The system recited in claim 1, wherein the security platform is configured with a plurality of security policies to apply network slice based security, subscriber identity based security, equipment identity based security, access point name (APN) based security, data network name (DNN) based security, and/or location based security in the core mobile network.
11. The system recited in claim 1, wherein the processor is further configured to: extract the meta information associated with the new session using the security platform executed on the network element in the core mobile network by performing inspection of packet forwarding control protocol (PFCP) messages, application programming interfaces (APIs), and/or syslog messages.
12. The system recited in claim 1, wherein the processor is further configured to: selectively apply application control to the network traffic of subscribers in the core mobile network if the meta information associated with the network traffic matches the selective intelligent enforcement policy; and offload the rest of the network traffic in the core mobile network if the meta information associated with the network traffic does not match the selective intelligent enforcement policy.
13. The system recited in claim 1, wherein the processor is further configured to: selectively apply URL filtering to the network traffic of subscribers in the core mobile network if the meta information associated with the network traffic matches the selective intelligent enforcement policy; and offload the rest of the network traffic in the core mobile network if the meta information associated with the network traffic does not match the selective intelligent enforcement policy.
14. The system recited in claim 1, wherein the processor is further configured to: selectively apply known and/or unknown threat identification and/or prevention to the network traffic of subscribers in the core mobile network if the meta information associated with the network traffic matches the selective intelligent enforcement policy; and offload the rest of the network traffic in the core mobile network if the meta information associated with the network traffic does not match the selective intelligent enforcement policy.
15. A method, comprising: monitoring network traffic in a core mobile network using a security platform executed on a network element in the core mobile network to identify a new session that attached to the core mobile network for mobile network communications; extracting meta information associated with the new session using the security platform executed on the network element in the core mobile network; applying selective intelligent enforcement for mobile networks based on the extracted meta information using the security platform if the extracted meta information associated with the new session matches a selective intelligent enforcement policy, wherein the extracted meta information includes radio access technology (RAT) information, wherein the applying of the selective intelligent enforcement for mobile networks comprises: checking that an IP address associated with the monitored network traffic matches a RAT type configured in a policy; and in response to a determination that the IP address matches the RAT type policy, referring the RAT information to an IP data store of the security platform; and offloading the new session to bypass security inspection by the security platform if the extracted meta information associated with the new session does not match the selective intelligent enforcement policy, wherein the network traffic associated with the new session that does not match the selective intelligent enforcement policy bypasses the security platform and layer 7 security is not applied to the network traffic associated with the new session to improve security analysis performance at the security platform.
16. The method of claim 15, wherein the security platform is executed on a host entity in the core mobile network.
17. The method of claim 15, wherein the security platform is a virtual firewall executed on a host entity in the core mobile network.
18. The method of claim 15, wherein the offloading of the new session to bypass the inspection by the security platform if the extracted meta information associated with the new session does not match the selective intelligent enforcement policy is performed by offloading the new session to a smart network interface card of the network element.
19. A computer program product, the computer program product being embodied in a non-transitory computer readable storage medium and comprising computer instructions for: monitoring network traffic in a core mobile network using a security platform executed on a network element in the core mobile network to identify a new session that attached to the core mobile network for mobile network communications; extracting meta information associated with the new session using the security platform executed on the network element in the core mobile network; applying selective intelligent enforcement for mobile networks based on the extracted meta information using the security platform if the extracted meta information associated with the new session matches a selective intelligent enforcement policy, wherein the extracted meta information includes radio access technology (RAT) information, wherein the applying of the selective intelligent enforcement for mobile networks comprises: checking that an IP address associated with the monitored network traffic matches a RAT type configured in a policy; and in response to a determination that the IP address matches the RAT type policy, referring the RAT information to an IP data store of the security platform; and offloading the new session to bypass security inspection by the security platform if the extracted meta information associated with the new session does not match the selective intelligent enforcement policy, wherein the network traffic associated with the new session that does not match the selective intelligent enforcement policy bypasses the security platform and layer 7 security is not applied to the network traffic associated with the new session to improve security analysis performance at the security platform.
Unknown
July 29, 2025
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.